[cryptography] Diginotar Lessons Learned (long)
James A. Donald
jamesd at echeque.com
Sun Sep 11 06:23:50 EDT 2011
>> On 2011-09-11 9:10 AM, Andy Steingruebl wrote:
>>> 1. Phishing isn't the only problem right?
On 2011-09-11 7:44 PM, Ian G wrote:
> Malware + breaches might be the other 2 biggies.
We now know in principle how to make malware resistant operating
systems, http://jim.com/security/safe_operating_system.html, and the
major operating system vendors are moving in that direction, though
backward compatibility means they move slowly.
Breaches of servers usually involve SQL injection. There are usually
other steps in the process, but one of the key steps is usually SQL
It is a really bad idea for the web page to interface with the database
by constructing command strings. It needs to interface by calling
compiled procedures that have an argument list. This would make it
difficult to write code vulnerable to SQL injection, instead of
difficult to avoid writing code vulnerable to SQL injection
More information about the cryptography